The Fall 2025 newsletter
In this Fall edition of “Of Trees and Tries” we’re excited to share what we have been up to since the summer. If you were at IETF in Montreal earlier this month hopefully you got a chance to say hi to Benno (busy times as Nomcom chair), Luuk & Jasper (IDR/routing, Rotonda) and Yorgos (DNSOP & Unbound).
Read on to learn about a new product that is set to replace an old community favourite, presentations the team has been delivering all over Europe, and to meet our newest colleague.
Announcing Cascade, a friendly DNS signer
At OARC 45, Arya presented our new DNSSEC signing solution, Cascade.
Coinciding with its first alpha release, she talked about the need for Cascade and how it tries to meet DNS operators’ needs. It’s opened up a lot of interesting conversations with operators about their signing workflows and how Cascade can help them, and we’re steadily building Cascade into something production-ready. A recording of Arya's talk is not yet available. In the meantime, have a look at our vision for Cascade, documentation or development.
Before we wrote a single line of code for Cascade, we did extensive research among 16 TLD operators to learn more about their operational needs and what keeps them up at night. We published our findings in a report, and Alex presented this research at OARC 45 and ICANN 84.
Unveiling a new product to the world is a proud and nerve wracking moment, made wondrous by the enthusiastic and prolific feedback of the community whom we cannot thank enough, with special shout outs to Stéphane Bortzmeyer and JP Mens.
Their friendly competitive spirit and rigorous eyes kept us busy releasing a steady flow of alpha releases in the weeks thereafter with fixes, improvements, even contributing documentation and publishing multiple articles about Cascade: we couldn't do this without you!
Quick reminder: We're a small team and can only do what we do thanks to our users. If you've thought about getting a support contract, or donating time, services or money, please do, any and all support is welcome so that we can keep serving this fine community.
An end of life plan for OpenDNSSEC
On October 3rd, we informed our users and the wider DNS community about the planned End-of-Life (EOL) timeline for OpenDNSSEC. Operators are encouraged to start planning replacement. We will offer Cascade as a successor to OpenDNSSEC along with migration tooling and documentation, and encourage operators to begin evaluating Cascade now an alpha release is available. A production-ready release is expected mid-2026.
News - End-of-Life Roadmap for OpenDNSSEC
The DNS runs on Free and Open Source Software
Maarten travelled to ICANN84 in Dublin to present “The DNS runs on Free and Open Source Software”, a recent study by ICANN’s Security and Stability Advisory Committee (SSAC) that he co-chaired.
The report examines the critical role of Free and Open Source Software (FOSS) within the DNS and shows that FOSS is the norm for the most fundamental components of the DNS. Prepared with policymakers in mind, the report provides an overview of the DNS and the FOSS model, along with research on the prevalence of FOSS. The paper then examines several contemporary cases of cybersecurity regulations from the US, UK, and EU adapted to account for FOSS within the DNS ecosystem. The SSAC concludes with findings and actionable guidelines for policymakers to strengthen the FOSS ecosystem that is critical to the secure and stable operation of the Internet.
The report is available for download, and so are a 20 minute summary and a 60 minute presentation.
Presenting Rotonda, our BMP and BGP collector
Luuk presented Rotonda to the Dutch network operator community at the yearly
NLNOG Day, and then again to the RIPE community during RIPE91 in Bucharest, Romania.
In the presentation, he guided the audience through the different components
that comprise Rotonda, and how Roto (more on Roto below) is used to provide flexibility in and between these components. Enabling operators to tailor a monitoring solution to their networks specifically is one of the main goals of Rotonda, and the new features in the (special NLNOG Day) 0.5.0 release reflect just that: using Roto, operators can now specify their own custom metrics, to be hooked up to their existing monitoring and alerting, but also their own custom HTTP endpoint filters, allowing for complex queries on the stored routing information.
While we met people already using Rotonda in ways we did not think of (which was the goal all along: letting operators' creativity take the wheel), we also learned that for many operators BMP is still on a 'I-should-try-that-sometime'-list. In many cases, not having a simple to deploy BMP collection solution was part of why it never came off that list. But it seems there is also a fair share of operators that are not aware of BMP (the BGP Monitoring Protocol) at all. That's why we will keep trying to spread the word on BMP, and make sure Rotonda will always be as easy to deploy as it is today.
Overall, we had many conversations with people operating networks differing
from NRENs to IXPs showing an interest in using Rotonda. It sure served as useful input, and moreover, energy and enthusiasm to keep improving both Rotonda and Roto in ways that will empower operators best.
Roto, a fast scripting language
Terts presented our scripting language Roto at EuroRust 2025. We chose to present at this event since Roto might also be interesting to the wider Rust community. He talked about what Roto is and how it works, showing how developers can add Roto scripting to their own applications. The presentation sparked several interesting conversations about Roto and other scripting languages implemented in Rust. The recording should be available online soon and will be linked from our presentations page.
Glad you're with us full-time, Jannik
After working part-time for a year while finishing their studies, Jannik joined NLnet Labs full-time in August 2025. In that first year, Jannik worked on integrating AF_XDP sockets and adding prometheus metrics into NSD and on the various DNS projects in Rust, most recently Cascade.
🗞 From the News Desk
- August saw the release of Krill 0.15.0 ‘But I Digress’, with a lot of changes under the hood –refactoring of code and update of dependencies–, and two breaking changes: to command line parsing and to multi-user authentication configuration with OpenID Connect.
- Version 4.13.0 of NSD was released with a number of features enabled by default to decrease differences in packaging, and experimental support for XDP that we previously blogged about.
- Routinator release 0.15.0 ‘This Ain’t No Disco’ featured a decrease in the amount of information logged that is not actionable by operators. Those who prefer to see messages about the inner workings of the RPKI, such as expired certificates, should have a look at the
log-repository-issuescommand-line and configuration option. A subsequent patch release 0.15.1 ‘Ain’t No Country Club Either’ fixed two bugs. - Unbound versions 1.24.0 (featuring increased defaults, the
num.valopsstatistic,unbound-control cache_lookup, and bug fixes.) and 1.24.1 (fixing CVE-2025-11411) were released
Thanks for reading, until next time!
Love from the NLnet Labs crew